在我的 k8s 集群中,下面列出了一些秘密资源。
$kubectl 获取秘密 -n istio-system
NAME TYPE
default-token-4wwkb kubernetes.io/service-account-tokenistio-ca-secret istio.io/ca-root
istio-ca-service-account-token-rl4xm kubernetes.io/service-account-token
istio-egress-service-account-token-vbfwf kubernetes.io/service-account-token
istio-ingress-certs kubernetes.io/tls
istio-ingress-service-account-token-kwr85 kubernetes.io/service-account-tokenistio-mixer-service-account-token-29qbb kubernetes.io/service-account-tokenistio-pilot-service-account-token-t6kmf kubernetes.io/service-account-tokenistio.default istio.io/key-and-cert
istio.istio-ca-service-account istio.io/key-and-cert
istio.istio-egress-service-account istio.io/key-and-cert
istio.istio-ingress-service-account istio.io/key-and-cert
istio.istio-mixer-service-account istio.io/key-and-cert
istio.istio-pilot-service-account istio.io/key-and-cert
istio.test-istio-sa istio.io/key-and-cert
test-istio-sa-token-4zm9k kubernetes.io/service-account-token
现在想用rbac控制一个service account test-istio-sa,这样test-istio-sa只能访问kubernetes.io/service-account-token类型的所有secret,比如istio-ca-service- account-token-rl4xm 和 istio-ingress-service-account-token-kwr85。
我创建了一个角色 kube-sa-token-reader,并将其绑定到服务帐户 test-istio-sa。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: istio-system
name: kube-sa-token-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets/kubernetes.io/service-account-token"] # grant access to all service account tokens
verbs: ["get", "watch", "list"]kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-kube-sa-token
namespace: istio-system
subjects:
- kind: ServiceAccount
name: test-istio-sa
roleRef:
kind: Role
name: kube-sa-token-reader
apiGroup: rbac.authorization.k8s.io但它似乎没有按预期工作。
$ kubectl auth can-i get secret/kubernetes.io/service-account-token -n istio-system --as system:serviceaccount:istio-system:test-istio-sa
no - Unknown user "system:serviceaccount:istio-system:test-istio-sa"